Secure email with DMARC and SPF

More and more companies are seeing attempts by outsiders to send phishing or spam mails via their domain name, damaging faith in the company and the company’s brand. False emails are an easy way to steal passwords and credit card details and gain access to user accounts. This is a growing problem for companies, impairing credibility and hindering communication by email.

Make sure the mail your company send is secure by impementing some small validation checks like DMARC and SPF. Both of these options are very easy to implement with a DNS entry.

How DMARC work

DMARC make use of SPF and DKIM to confirm your domain. To create a Key for DKIM simple go into Spamtitan and generate a key. The author Matt Moorehead publish a good blog explaing DMARC in plain english: http://blog.returnpath.com. with this illustration:

DNS DMARC Entry

DMARC records are published in DNS with a subdomain label _dmarc, for example _dmarc.example.com. Compare this to SPF at example.com, and DKIM at selector._domainkey.example.com.

The content of the TXT resource record consists of name=value tags, separated by semicolons, similar to SPF and DKIM. For example:

Here, v is the version, p is the policy, sp the subdomain policy, pct is the percent of “bad” emails on which to apply the policy, and rua is the URI to send aggregate reports to. In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates, and doesn’t expect emails to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.

DNS SPF Entry

The records laid out below are in typical DNS syntax, for example:

"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"

“v=” defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The “ip4” and “a” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

Use SpamTitan to setup DMARC, DKIM and SPF

Follow this link to setup DKIM. To setup SPF create a entry on your DNS like the one above and this will make sure all spam engines will identify your sending mail server from your SPF entry on your DNS entry.

This will help to ensure your company mails is safe and your brand is protected.